Open letter calling on EU lawmakers to not require sharing technical details of unpatched security vulnerabilities with EU's Agency for Cybersecurity ENISA

We, the undersigned organisations, write to express our concern with vulnerability disclosure requirements under the proposed Cyber Resilience Act (CRA). The CRA’s objective to encourage software publishers to patch vulnerabilities and report cyber incidents is salutary. However, the CRA’s mandatory disclosure of unmitigated vulnerabilities will undermine the security of digital products and the individuals who use them.

The CRA would require organisations to disclose software vulnerabilities to government agencies within 24 hours of exploitation (Cyber Resilience Act, Articles 11.1, 13.6, 14.4). However, such recently exploited vulnerabilities are unlikely to be mitigated within such a short time, leading to real-time databases of software with unmitigated vulnerabilities in the possession of potentially dozens of government agencies. The more this kind of information is spread, the more likely it is to be misused for state intelligence or offensive purposes, or to be inadvertently exposed to adversaries before a mitigation is in place. In addition, laws that require disclosure of unmitigated vulnerabilities to government agencies create an international precedent that may be reflected by other countries.

We call on you to help improve the CRA by including safeguards that help prevent misuse of vulnerability information:

  1. Limit details. The regulation should not require disclosure of technical details of unmitigated vulnerabilities to government bodies that would enable another party to reconstruct the vulnerability or develop code to exploit it.
  2. Prohibit offensive uses. The regulation should include a clear restriction on the use of software vulnerabilities by public bodies, i.e. for intelligence, surveillance, or offensive purposes.
  3. Provide time to mitigate. In the absence of user harm or a substantial incident, organisations should have a reasonable time to remediate or address the vulnerability before requiring disclosure of its details to governments. A typical standard period for the mitigation of known vulnerabilities is 90 days.
  4. Secure vulnerability information. Agencies should be obligated to protect vulnerability information with robust security safeguards and shared only on a very strict need-to-know basis.
  5. Protect good faith security researchers. The regulation should distinguish between vulnerabilities discovered in good faith for defensive purposes and those that are exploited by malicious actors. Good faith security researchers who follow coordinated vulnerability disclosure standards should be protected from retaliation.

We share the goal of strengthening the security of digital products and protecting individuals. The above safeguards will help the CRA achieve its goals of a more resilient and protective technology ecosystem. We appreciate your consideration of our recommendations.

original PDF with all signers

6 Likes

I hold a different viewpoint on this matter. Software with issues should be promptly removed and legal action should be taken against the manufacturer. Such software should not be put to use again. It’s crucial that we persist in revealing unresolved vulnerabilities because malicious parties can obtain this information regardless.

It’s essential for people to understand that there’s often a malicious motive behind closed-source software. A developer who conceals their code likely does it with ill intent. Consequently, such software should be swiftly uninstalled and permanently deleted.

Can you show us a software WITHOUT issues first?

2 Likes

. . . and how you remove digitial “things” on a global scale

Good afternoon:

I don’t know if this will be true. I refer to what they say about Threads.

But that an application asks for all this: Threads lo va a saber todo de ti según el informe de privacidad de Apple: desde la información bancaria hasta incluso tu Salud

Well, it should not even exist.

Or with ideas like this:
EU rules that US is safe destination for personal data La UE cree que Estados Unidos es destino seguro para los datos personales europeos | Euronews

A hug

@ecxod that doesn’t sound like a different view point on this issueto me, that sounds like a separate issue, though all quite closely related. The specific way that the CRA requires disclosure is problematic. It creates a central database of vulnerabilities for hackers to target and government agencies to raid. I haven’t heard opposition within this community to mandatory disclosure, I personally think it is a good idea. But it needs to be implemented properly. A bad implementation can easily do more harm than good.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.